#!/bin/bash

#1 Initial Setup     
#1.1 Filesystem Configuration     
#1.1.1 Disable unused filesystems     

#1.1.1.1 Ensure mounting of cramfs filesystems is disabled          
disable_cramfs() {
test_module_disabled "cramfs"
}
#1.1.1.2 Ensure mounting of freevxfs filesystems is disabled         
disable_freevxfs() {
test_module_disabled "freevxfs"
}
#1.1.1.3 Ensure mounting of jffs2 filesystems is disabled         
disable_jffs2() {
test_module_disabled "jffs2"
}
#1.1.1.4 Ensure mounting of hfs filesystems is disabled         
disable_hfs() {
test_module_disabled "cramfs"
}
#1.1.1.5 Ensure mounting of hfsplus filesystems is disabled         
disable_hfsplus() {
test_module_disabled "hfsplus"
}
#1.1.1.6 Ensure mounting of udf filesystems is disabled         
disable_udf() {
test_module_disabled "udf"
}
#1.1.2 Ensure /tmp is configured         
mount_tmp() {
test_mount "/tmp"
}
#1.1.3 Ensure nodev option set on /tmp partition          
nodev_tmp() {
test_mount_option "/tmp" "nodev"
}
#1.1.4 Ensure nosuid option set on /tmp partition         
nosuid_tmp() {
test_mount_option "/tmp" "nosuid"
}
#1.1.5 Ensure noexec option set on /tmp partition  
noexec_tmp() {
test_mount_option "/tmp" "noexec"
}       
#1.1.6 Ensure /dev/shm is configured 
mount_shm() {
test_mount "/dev/shm"
}        
#1.1.7 Ensure nodev option set on /dev/shm partition   
nodev_shm() {
test_mount_option "/dev/shm" "nodev"
}       
#1.1.8 Ensure nosuid option set on /dev/shm partition
nosuid_shm() {
test_mount_option "/dev/shm" "nosuid"
}         
#1.1.9 Ensure noexec option set on /dev/shm partition 
noexec_shm() {
test_mount_option "/dev/shm" "noexec"
}        
#1.1.10 Ensure separate partition exists for /var
mount_var() {
test_mount "/var"
}         
#1.1.11 Ensure separate partition exists for /var/tmp
mount_var_tmp() {
test_mount "/var/tmp"
}         
#1.1.12 Ensure /var/tmp partition includes the nodev option
nodev_var_tmp() {
test_mount_option "/var/tmp" "nodev"
}
#1.1.13 Ensure /var/tmp partition includes the nosuid option
nosuid_var_tmp() {
test_mount_option "/var/tmp" "nosuid"

}         
#1.1.14 Ensure /var/tmp partition includes the noexec option
noexec_var_tmp() {
test_mount_option "/var/tmp" "noexec"
}         
#1.1.15 Ensure separate partition exists for /var/log
mount_var_log() {
test_mount "/var/log"
}         
#1.1.16 Ensure separate partition exists for /var/log/audit
mount_var_log_audit() {
test_mount "/var/log/audit"
}         
#1.1.17 Ensure separate partition exists for /home
mount_home() {
test_mount "/home"
}         
#1.1.18 Ensure /home partition includes the nodev option
nodev_home() {
test_mount_option "/home" "nodev"
}         
#1.1.19 Ensure nodev option set on removable media partitions
nodev_media() {
test_mount_option "/media" "nodev"
}          
#1.1.20 Ensure nosuid option set on removable media partitions
nosuid_media() {
test_mount_option "/media" "nosuid"
}         
#1.1.21 Ensure noexec option set on removable media partitions
noexec_media() {
test_mount_option "/media" "noexec"
}         
#1.1.22 Ensure sticky bit is set on all world-writable directories
sticky(){
test_sticky
}    
#1.1.23 Disable Automounting
autofs_disable(){
test_service_disable "autofs"
}          
#1.1.24 Disable USB Storage
disable_usb-storage() {
test_module_disabled " usb-storage"
}         
#1.2 Configure Software Updates      
#1.2.1 Ensure package manager repositories are configured 
apt_cache() {
test_apt_cache 
}                 
#1.2.2 Ensure GPG keys are configured 
apt_list() {
test_apt_list
}        
#1.3 Filesystem Integrity Checking     
#1.3.1 Ensure AIDE is installed  
aide_installed() {
test_apt_installed "aide" && test_apt_installed "aide-common" || return
}        
#1.3.2 Ensure filesystem integrity is regularly checked
aide_crontab() {
test_crontab 
}         
#1.4 Secure Boot Settings      
#1.4.1 Ensure permissions on bootloader config are not overridden 
grub_not_overridden() {
test_grub_not_overridden 
}       
#1.4.2 Ensure bootloader password is set 
grub_password() {
test_grub_password 
}        
#1.4.3 Ensure permissions on bootloader config are configured 
grub_permissions() {
test_grub_permissions 
}        
#1.4.4 Ensure authentication required for single user mode    
grub_auth() {
test_grub_auth 
}     
#1.5 Additional Process Hardening      
#1.5.1 Ensure XD/NX support is enabled 
xd_nx() {
test_xd_nx_support_enabled
}        
#1.5.2 Ensure address space layout randomization (ASLR) is enabled
aslr() {
test_sysctl kernel.randomize_va_space
}         
#1.5.3 Ensure prelink is disabled 
prelink_uninstalld() {
test_apt_uninstalled "prelink"
}
#1.5.4 Ensure core dumps are restricted  
hard_core() {
test_restrict_core_dumps
}       
#1.6 Mandatory Access Control     
#1.6.1 Configure AppArmor      
#1.6.1.1 Ensure AppArmor is installed
apparmor_installd() {
test_apt_installed "apparmor"
}         
#1.6.1.2 Ensure AppArmor is enabled in the bootloader configuration
apparmor_enabled() {
test_apparmor_enabled
}            
#1.6.1.3 Ensure all AppArmor Profiles are in enforce or complain mode   
apparmor_profiles() {
test_apparmor_profiles  "complain"
}     
#1.6.1.4 Ensure all AppArmor Profiles are enforcing
apparmor_enforce() {
test_apparmor_profiles  "enforce"
}         
#1.7 Command Line Warning Banners    
#1.7.1 Ensure message of the day is configured properly
motd_banner() {
test_banner ${MOTD}
}        
#1.7.2 Ensure permissions on /etc/issue.net are configured
issue_net_permissions() {
test_permissions_0644_root_root ${ISSUE_NET}
}        
#1.7.3 Ensure permissions on /etc/issue are configured
issue_permissions() {
test_permissions_0644_root_root ${ISSUE}
}         
#1.7.4 Ensure permissions on /etc/motd are configured 
motd_permissions() {
test_permissions_0644_root_root ${MOTD}
}       
#1.7.5 Ensure remote login warning banner is configured properly
issue_net_banner() {
test_banner ${ISSUE_NET}
}        
#1.7.6 Ensure local login warning banner is configured properly
issue_banner() {
test_banner ${ISSUE}
}   
#1.8 GNOME Display Manager     
#1.8.1 Ensure GNOME Display Manager is removed 
gdm_uninstalled() {
test_apt_uninstalled "gdm3"
}        
#1.8.2 Ensure GDM login banner is configured
gdm_configured() {
test_apt_installed "gdm3" || return 2
test_gdm_configured
}       
#1.8.3 Ensure disable-user-list is enabled
gdm_disabled() {
test_apt_installed "gdm3" || return 2
test_gdm_disabled
}  
#1.8.4 Ensure XDCMP is not enabled
XDMCP_disabled(){
test_XDMCP_disabled
}        
#1.9 Ensure updates, patches, and additional security software are installed
apt_check_update() {
test_apt_check_update
}  

# 2 Services    
# 2.1 Special Purpose Services    
# 2.1.1 Time Synchronization    
# 2.1.1.1 Ensure time synchronization is in use 
time_sync_services(){
test_time_sync_services_enabled
}       
# 2.1.1.2 Ensure systemd-timesyncd is configured 
timesyncd_cfg(){
test_timesyncd_cfg
}        
# 2.1.1.3 Ensure chrony is configured 
chrony_cfg(){
test_apt_installed "chrony" || return 2
test_chrony_cfg
}       
# 2.1.1.4 Ensure ntp is configured
ntp_cfg(){
test_apt_installed "ntp" || return 2
test_ntp_cfg
}        
# 2.1.2 Ensure X Window System is not installed 
xwindow_uninstalled(){
test_apt_uninstalled "xserver-xorg*"
}       
# 2.1.3 Ensure Avahi Server is not installed
avahi_uninstalled(){
test_apt_uninstalled "avahi"
}        
# 2.1.4 Ensure CUPS is not installed
cpus_uninstalled(){
test_apt_uninstalled "cpus"
}        
# 2.1.5 Ensure DHCP Server is not installed
dhcp_uninstalled(){
test_apt_uninstalled "isc-dhcp-server"
}        
# 2.1.6 Ensure LDAP server is not installed 
ldap_uninstalled(){
test_apt_uninstalled "slapd"
}        
# 2.1.7 Ensure NFS is not installed 
nfs_uninstalled(){
test_apt_uninstalled "nfs-kernel-server"
}       
# 2.1.8 Ensure DNS Server is not installed 
dns_uninstalled(){
test_apt_uninstalled "bind9"
}         
# 2.1.9 Ensure FTP Server is not installed
ftp_uninstalled(){
test_apt_uninstalled "vsftpd"
}         
# 2.1.10 Ensure HTTP server is not installed
http_uninstalled(){
test_apt_uninstalled "apache2"
}         
# 2.1.11 Ensure IMAP and POP3 server are not installed  
imap_uninstalled(){
test_apt_uninstalled "dovecot-imapd"
}       
# 2.1.12 Ensure Samba is not installed     
samba_uninstalled(){
test_apt_uninstalled "samba"
}    
# 2.1.13 Ensure HTTP Proxy Server is not installed    
squid_uninstalled(){
test_apt_uninstalled "squid"
}
# 2.1.14 Ensure SNMP Server is not installed  
snmpd_uninstalled(){
test_apt_uninstalled "snmpd"
}       
# 2.1.15 Ensure mail transfer agent is configured for local-only mode  
mta_local_only(){
test_mta_local_only
}      
# 2.1.16 Ensure rsync service is not installed  
rsync_uninstalled(){
test_apt_uninstalled "rsync"
}       
# 2.1.17 Ensure NIS Server is not installed  
nis_uninstalled(){
test_apt_uninstalled "nis"
}       
# 2.2 Service Clients     
# 2.2.1 Ensure NIS Client is not installed  
nis_cli_uninstalled(){
test_apt_uninstalled "ypbind"
}      
# 2.2.2 Ensure rsh client is not installed  
rsh_cli_uninstalled(){
test_apt_uninstalled "rsh-client"
}       
# 2.2.3 Ensure talk client is not installed
talk_cli_uninstalled(){
test_apt_uninstalled "talk"
}        
# 2.2.4 Ensure telnet client is not installed  
telnet_cli_uninstalled(){
test_apt_uninstalled "telnet"
}      
# 2.2.5 Ensure LDAP client is not installed   
ldap_cli_uninstalled(){
test_apt_uninstalled "ldap-utils"
}     
# 2.2.6 Ensure RPC is not installed 
rpc_cli_uninstalled(){
test_apt_uninstalled "rpcbind"
}       
# 2.3 Ensure nonessential services are removed or masked  

# 3 Network Configuration    
# 3.1 Disable unused network protocols and devices    
# 3.1.1 Disable IPv6     
ipv6_disabled(){
test_ipv6_disabled
}   
# 3.1.2 Ensure wireless interfaces are disabled    
wireless_disabled(){
test_wireless_if_disabled
}    
# 3.2 Network Parameters (Host Only)    
# 3.2.1 Ensure packet redirect sending is disabled   
redirect_disabled(){
test_net_ipv4_conf_all_default send_redirects 0
}    
# 3.2.2 Ensure IP forwarding is disabled
forward_disabled(){
test_sysctl net.ipv4.ip_forward 0
}          
# 3.3 Network Parameters (Host and Router)    
# 3.3.1 Ensure source routed packets are not accepted   
routed_accepted(){
test_net_ipv4_conf_all_default accept_source_route 0
}     
# 3.3.2 Ensure ICMP redirects are not accepted 
icmp_redirects(){
test_net_ipv4_conf_all_default accept_source_route 0
}        
# 3.3.3 Ensure secure ICMP redirects are not accepted  
icmp_secure_redirects(){
test_net_ipv4_conf_all_default secure_redirects 0
}      
# 3.3.4 Ensure suspicious packets are logged
logged_suspicious(){
test_net_ipv4_conf_all_default log_martians 1
}        
# 3.3.5 Ensure broadcast ICMP requests are ignored
icmp_broadcast(){
test_sysctl net.ipv4.icmp_echo_ignore_broadcasts 1
}        
# 3.3.6 Ensure bogus ICMP responses are ignored  
icmp_bogus(){
test_sysctl net.ipv4.icmp_ignore_bogus_error_responses 1
}      
# 3.3.7 Ensure Reverse Path Filtering is enabled  
reverse_path(){
test_net_ipv4_conf_all_default rp_filter 1
}      
# 3.3.8 Ensure TCP SYN Cookies is enabled   
syncookies_enabled(){
test_sysctl net.ipv4.tcp_syncookies 1
}     
# 3.3.9 Ensure IPv6 router advertisements are not accepted     
ipv6_router(){
test_net_ipv6_conf_all_default accept_ra 0
}   
# 3.4 Uncommon Network Protocols     
# 3.4.1 Ensure DCCP is disabled     
dccp_disabled(){
test_module_disabled dccp
}    
# 3.4.2 Ensure SCTP is disabled        
sctp_disabled(){
test_module_disabled sctp
}
# 3.4.3 Ensure RDS is disabled  
rds_disabled(){
test_module_disabled rds
}      
# 3.4.4 Ensure TIPC is disabled     
tipc_disabled(){
test_module_disabled tipc
}   
# 3.5 Firewall Configuration   
firewall_all_uninstalled(){
test_apt_installed ufw || test_apt_installed iptables_persistent || test_apt_installed nftables || return 1
return 0
}  
# 3.5.1 Configure UncomplicatedFirewall     
# 3.5.1.1 Ensure ufw is installed      
ufw_installed(){
test_apt_installed ufw  && test_apt_uninstalled iptables-persistent &&  test_apt_uninstalled nftables
}  
# 3.5.1.2 Ensure iptables-persistent is not installed with ufw   
    
# 3.5.1.3 Ensure ufw service is enabled  
ufw_run(){
test_apt_installed ufw || return 2
test_ufw_run
}        
# 3.5.1.4 Ensure ufw loopback traffic is configured   
ufw_loopback(){
test_apt_installed ufw || return 2
test_ufw_loopback
}     
# 3.5.1.5 Ensure ufw outbound connections are configured 
ufw_outbound_connections(){
test_apt_installed ufw || return 2
test_ufw_outbound_connections
}

# 3.5.1.6 Ensure ufw firewall rules exist for all open ports  
ufw_rules_for_open_ports(){
test_apt_installed ufw || return 2
test_ufw_rules_for_open_ports 
}

# 3.5.1.7 Ensure ufw default deny firewall policy   
ufw_default_deny_policy(){
test_apt_installed ufw || return 2
test_ufw_default_deny_policy 
}      
# 3.5.2 Configure nftables     
# 3.5.2.1 Ensure nftables is installed 
nftables_installed(){
test_apt_installed nftables  && test_apt_uninstalled iptables-permanent &&  test_apt_uninstalled ufw    
}        
# 3.5.2.2 Ensure ufw is uninstalled or disabled with nftables 
    
# 3.5.2.3 Ensure iptables are flushed with nftables  
iptables_empty(){
test_apt_installed "iptables-persistent" || return 2
test_iptables_empty
}      
# 3.5.2.4 Ensure a nftables table exists   
nftables_table(){
test_apt_installed "nftables" || return 2
test_nftables_table "filter"
}     
# 3.5.2.5 Ensure nftables base chains exist    
nftables_base_chains(){
test_apt_installed "nftables" || return 2
test_nftables_base_chains
}    
# 3.5.2.6 Ensure nftables loopback traffic is configured  
nftables_loopback(){
test_apt_installed "nftables" || return 2
test_nftables_loopback
}      
# 3.5.2.7 Ensure nftables outbound and established connections are configured  
nftables_outbound_established_connections(){
test_apt_installed "nftables" || return 2
test_nftables_outbound_established_connections
}      
# 3.5.2.8 Ensure nftables default deny firewall policy    
nftables_default_deny_policy(){
test_apt_installed "nftables" || return 2
test_nftables_default_deny_policy
}    
# 3.5.2.9 Ensure nftables service is enabled   
nftables_enabled(){
test_apt_installed "nftables" || return 2
test_service_enabled "nftables"
}     
# 3.5.2.10 Ensure nftables rules are permanent   
nftables_persistent_rules(){
test_apt_installed "nftables" || return 2
test_nftables_persistent_rules
}     
# 3.5.3 Configure iptables    
# 3.5.3.1.1 Ensure iptables packages are installed    
iptables_installed(){
test_apt_installed iptables && test_apt_installed "iptables-persistent"  && test_apt_uninstalled ufw &&  test_apt_uninstalled nftables     
}    
# 3.5.3.1.2 Ensure nftables is not installed with iptables       
# 3.5.3.1.3 Ensure ufw is uninstalled or disabled with iptables       
# 3.5.3.2.1 Ensure iptables default deny firewall policy 
iptables_default_deny_policy(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_iptables_default_deny_policy "iptables"
}        
# 3.5.3.2.2 Ensure iptables loopback traffic is configured  
iptables_loopback(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_iptables_loopback
}      
# 3.5.3.2.3 Ensure iptables outbound and established connections are configured  
iptables_outbound_and_established(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_iptables_outbound_and_established
}      
# 3.5.3.2.4 Ensure iptables firewall rules exist for all open ports   
iptables_rules_for_open_ports(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_iptables_rules_for_open_ports "iptables"
}
# 3.5.3.3.1 Ensure ip6tables default deny firewall policy  
ip6tables_default_deny_policy(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_iptables_default_deny_policy "ip6tables"
}      
# 3.5.3.3.2 Ensure ip6tables loopback traffic is configured 
ip6tables_loopback(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_ip6tables_loopback
}       
# 3.5.3.3.3 Ensure ip6tables outbound and established connections are configured 
ip6tables_outbound_and_established(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_ip6tables_outbound_established
}       
# 3.5.3.3.4 Ensure ip6tables firewall rules exist for all open ports   
ip6tables_rules_for_open_ports(){
test_apt_installed "iptables" && test_apt_installed "iptables-persistent" || return 2
test_iptables_rules_for_open_ports "ip6tables"
}

# 4 Logging and Auditing     
# 4.1 Configure System Accounting (auditd)    
# 4.1.1 Ensure auditing is enabled    
# 4.1.1.1 Ensure auditd is installed  
audit_installed(){
test_apt_installed "auditd" && test_apt_installed "audispd-plugins"
}      
# 4.1.1.2 Ensure auditd service is enabled    
audit_run(){
audit_installed || return 2
test_service_enabled_run "auditd"
}    
# 4.1.1.3 Ensure auditing for processes that start prior to auditd is enabled  
audit_prior(){
audit_installed || return 2
test_audit_procs_prior_2_auditd
}
# 4.1.1.4 Ensure audit_backlog_limit is sufficient      
audit_backlog_limit(){
audit_installed || return 2
test_audit_backlog_limit
}  
# 4.1.2 Configure Data Retention     
# 4.1.2.1 Ensure audit log storage size is configured    
audit_size(){
audit_installed || return 2
test_audit_log_storage_size
} 
# 4.1.2.2 Ensure audit logs are not automatically deleted    
audit_not_deleted(){
audit_installed || return 2
test_keep_all_audit_info
}     
# 4.1.2.3 Ensure system is disabled when audit logs are full    
audit_full(){
audit_installed || return 2
test_dis_on_audit_log_full
}    
# 4.1.3 Ensure events that modify date and time information are collected 
audit_date_time(){
audit_installed || return 2
test_audit_date_time
}
# 4.1.4 Ensure events that modify user/group information are collected 
audit_user_group(){
audit_installed || return 2
test_audit_user_group
}
# 4.1.5 Ensure events that modify the system's network environment are collected 
audit_network_env(){
audit_installed || return 2
test_audit_network_env
}
# 4.1.6 Ensure events that modify the system's Mandatory Access Controls are collected
audit_sys_mac(){
audit_installed || return 2
test_audit_sys_mac
}         
# 4.1.7 Ensure login and logout events are collected    
audit_logins_logouts(){
audit_installed || return 2
test_audit_logins_logouts
}    
# 4.1.8 Ensure session initiation information is collected        
audit_session_init(){
audit_installed || return 2
test_audit_session_init
}
# 4.1.9 Ensure discretionary access control permission modification events are collected         
audit_dac_perm_mod_events(){
audit_installed || return 2
test_audit_dac_perm_mod_events
}
# 4.1.10 Ensure unsuccessful unauthorized file access attempts are collected   
unsuc_unauth_acc_attempts(){
audit_installed || return 2
test_unsuc_unauth_acc_attempts
}     
# 4.1.11 Ensure use of privileged commands is collected    
coll_priv_cmds(){
audit_installed || return 2
test_coll_priv_cmds
}    
# 4.1.12 Ensure successful file system mounts are collected   
coll_suc_fs_mnts(){
audit_installed || return 2
test_coll_suc_fs_mnts
}     
# 4.1.13 Ensure file deletion events by users are collected     
coll_file_del_events(){
audit_installed || return 2
test_coll_file_del_events
}   
# 4.1.14 Ensure changes to system administration scope (sudoers) is collected   
coll_chg2_sysadm_scope(){
audit_installed || return 2
test_coll_chg2_sysadm_scope
}  
# 4.1.15 Ensure system administrator command executions (sudo) are collected     
coll_sysadm_actions(){
audit_installed || return 2
test_coll_sysadm_actions
}
# 4.1.16 Ensure kernel module loading and unloading is collected   
kmod_lod_unlod(){
audit_installed || return 2
test_kmod_lod_unlod
}
# 4.1.17 Ensure the audit configuration is immutable    
audit_cfg_immut(){
audit_installed || return 2
test_audit_cfg_immut
}    
# 4.2 Configure Logging    
# 4.2.1 Configure rsyslog     
# 4.2.1.1 Ensure rsyslog is installed   
rsyslog_installed(){
test_apt_installed "rsyslog" || return 2
}     
# 4.2.1.2 Ensure rsyslog Service is enabled   
rsyslog_run(){
rsyslog_installed || return 2
test_service_enabled_run "rsyslog"
}
# 4.2.1.3 Ensure logging is configured    
rsyslog_file_perssion(){
rsyslog_installed || return 2 
# test_apt_installed "rsyslog"|| return 2
test_rsyslog_file_perssion
}    
# 4.2.1.4 Ensure rsyslog default file permissions configured  
rsyslog_configured(){
rsyslog_installed || return 2 
test_rsyslog_configured
}       
# 4.2.1.5 Ensure rsyslog is configured to send logs to a remote log host   
rsyslog_content(){
rsyslog_installed || return 2
test_rsyslog_content
}     
# 4.2.1.6 Ensure remote rsyslog messages are only accepted on designated log hosts.        
# 4.2.2 Configure journald    
# 4.2.2.1 Ensure journald is configured to send logs to rsyslog        
rsyslog_forwardToSyslog(){
test_rsyslog_journald "^\s*ForwardToSyslog=yes"
}
# 4.2.2.2 Ensure journald is configured to compress large log files  
rsyslog_compress(){
test_rsyslog_journald "^\s*Compress=yes"
} 
# 4.2.2.3 Ensure journald is configured to write logfiles to persistent disk  
rsyslog_storage(){
test_rsyslog_journald "^\s*Storage=persistent"
}      
# 4.2.3 Ensure permissions on all logfiles are configured  
var_log_files_permissions(){
test_var_log_files_permissions
}      
# 4.3 Ensure logrotate is configured         
logrotate_configured(){
test_logrotate_configured
}
# 4.4 Ensure logrotate assigns appropriate permissions        
logrotate_permissions(){
test_logrotate_permissions
}

# 5 Access, Authentication and Authorization    
# 5.1 Configure time-based job schedulers    
# 5.1.1 Ensure cron daemon is enabled and running   
cron_run(){
test_service_enabled_run "crond"
}     
# 5.1.2 Ensure permissions on /etc/crontab are configured    
cron_permissions(){
test_permissions_0600_root_root /etc/crontab
}    
# 5.1.3 Ensure permissions on /etc/cron.hourly are configured 
cron_hourly_permissions(){
test_permissions_0600_root_root /etc/cron.hourly
}
# 5.1.4 Ensure permissions on /etc/cron.daily are configured 
cron_daily_permissions(){
test_permissions_0600_root_root /etc/cron.daily 
}       
# 5.1.5 Ensure permissions on /etc/cron.weekly are configured   
cron_weekly_permissions(){
test_permissions_0600_root_root /etc/cron.weekly
}
# 5.1.6 Ensure permissions on /etc/cron.monthly are configured 
cron_monthly_permissions(){
test_permissions_0600_root_root /etc/cron.monthly
}
# 5.1.7 Ensure permissions on /etc/cron.d are configured        
crond_permissions(){
test_permissions_0700_root_root /etc/cron.d
}
# 5.1.8 Ensure cron is restricted to authorized users   
cron_auth(){
test_at_cron_auth_users
}     
# 5.1.9 Ensure at is restricted to authorized users   
at_auth(){
test_at_cron_auth_users
}     
# 5.2 Configure sudo     
# 5.2.1 Ensure sudo is installed         
sudo_installed(){
test_apt_installed "sudo"
}
# 5.2.2 Ensure sudo commands use pty   
sudo_use_pty(){
test_sudo_use_pty
}      
# 5.2.3 Ensure sudo log file exists       
sudo_log_file_configured(){
test_sudo_log_file_configured
} 
# 5.3 Configure SSH Server    
# 5.3.1 Ensure permissions on /etc/ssh/sshd_config are configured 
ssh_permissions(){
test_permissions_0600_root_root /etc/ssh/sshd_config
}       
# 5.3.2 Ensure permissions on SSH private host key files are configured  
ssh_private_permissions(){
test_ssh_keys_permissions "ssh_host_*_key"
}      
# 5.3.3 Ensure permissions on SSH public host key files are configured  
ssh_public_permissions(){
test_ssh_keys_permissions "ssh_host_*_key.pub"
}      
# 5.3.4 Ensure SSH access is limited     
ssh_limited(){
test_ssh_access
}   
# 5.3.5 Ensure SSH LogLevel is appropriate    
ssh_loglevel(){
test_ssh_loglevel
}    
# 5.3.6 Ensure SSH X11 forwarding is disabled    
ssh_x11_disabled(){
test_param "${SSHD_CFG}" X11Forwarding no
}    
# 5.3.7 Ensure SSH MaxAuthTries is set to 4 or less    
ssh_MaxAuthTries_le4(){
test_ssh_param_le MaxAuthTries 4
}    
# 5.3.8 Ensure SSH IgnoreRhosts is enabled 
ssh_IgnoreRhosts_enabled(){
test_param "${SSHD_CFG}" IgnoreRhosts yes
}        
# 5.3.9 Ensure SSH HostbasedAuthentication is disabled 
ssh_HostbasedAuthentication_disabled(){
test_param "${SSHD_CFG}" HostbasedAuthentication no
}       
# 5.3.10 Ensure SSH root login is disabled       
ssh_PermitRootLogin_disabled(){
test_param "${SSHD_CFG}" PermitRootLogin no
} 
# 5.3.11 Ensure SSH PermitEmptyPasswords is disabled 
ssh_PermitEmptyPasswords_disabled(){
test_param "${SSHD_CFG}" PermitEmptyPasswords no
}       
# 5.3.12 Ensure SSH PermitUserEnvironment is disabled     
ssh_PermitUserEnvironment_disabled(){
test_param "${SSHD_CFG}" PermitUserEnvironment no
}   
# 5.3.13 Ensure only strong Ciphers are used        
ssh_ciphers(){
test_ssh_strong_rule "^\s*ciphers\s+([^#]+,)?(3des-cbc|aes128-cbc|aes192-cbc|aes256-cbc|arcfour|arcfour128|arcfour256|blowfish-cbc|cast128-cbc|rijndael- cbc@lysator.liu.se)\b"
}
# 5.3.14 Ensure only strong MAC algorithms are used     
ssh_MACAlg(){
test_ssh_strong_rule "^\s*macs\s+([^#]+,)?(hmac-md5|hmac-md5-96|hmac-ripemd160|hmac- sha1|hmac-sha1-96|umac-64@openssh\.com|hmac-md5-etm@openssh\.com|hmac-md5-96- etm@openssh\.com|hmac-ripemd160-etm@openssh\.com|hmac-sha1- etm@openssh\.com|hmac-sha1-96-etm@openssh\.com|umac-64-etm@openssh\.com|umac- 128-etm@openssh\.com)\b"
}   
# 5.3.15 Ensure only strong Key Exchange algorithms are used   
ssh_KeyExchAlg(){
test_ssh_strong_rule "^\s*kexalgorithms\s+([^#]+,)?(diffie-hellman-group1-sha1|diffie- hellman-group14-sha1|diffie-hellman-group-exchange-sha1)\b"
}     
# 5.3.16 Ensure SSH Idle Timeout Interval is configured    
ssh_idle_timeout(){
test_ssh_idle_timeout
}    
# 5.3.17 Ensure SSH LoginGraceTime is set to one minute or less   
ssh_LoginGraceTime_le60(){
test_ssh_param_le LoginGraceTime 60
}
# 5.3.18 Ensure SSH warning banner is configured        
ssh_banner_configured(){
test_param "${SSHD_CFG}" Banner /etc/issue.net
}
# 5.3.19 Ensure SSH PAM is enabled    
ssh_pam_enabled(){
test_ssh_strong_rule "^\s*UsePAM\s+no"
}     
# 5.3.20 Ensure SSH AllowTcpForwarding is disabled        
ssh_AllowTcpForwarding_disabled(){
test_ssh_strong_rule "^\s*AllowTcpForwarding\s+yes"
}
# 5.3.21 Ensure SSH MaxStartups is configured    
ssh_MaxStartups_configured(){
test_ssh_strong_rule "^\s*maxstartups\s+(((1[1-9]|[1-9][0-9][0-9]+):([0-9]+):([0-9]+))|(([0-9]+):(3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):([0-9]+))|(([0-9]+):([0-9]+):(6[1-9]|[7-9][0-9]|[1-9][0-9][0-9]+)))"
}     
# 5.3.22 Ensure SSH MaxSessions is limited    
ssh_MaxStartups_limited(){
test_ssh_strong_rule "^\s*MaxSessions\s+(1[1-9]|[2-9][0-9]|[1-9][0-9][0-9]+)"
}    
# 5.4 Configure PAM    
# 5.4.1 Ensure password creation requirements are configured  
pam_pwquality(){
test_apt_installed libpam-pwquality || return 2
test_pam_pwquality
}  
# 5.4.2 Ensure lockout for failed password attempts is configured  
pam_lockout(){
test_apt_installed libpam-pwquality || return 2
test_password_lockout_configured
} 
# 5.4.3 Ensure password reuse is limited        
pam_limited(){
test_apt_installed libpam-pwquality || return 2
test_password_history
}
# 5.4.4 Ensure password hashing algorithm is SHA-512   
pam_SHA512(){
test_apt_installed libpam-pwquality || return 2
test_password_algorithm
}     
# 5.5 User Accounts and Environment     
# 5.5.1 Set Shadow Password Suite Parameters     
# 5.5.1.1 Ensure minimum days between password changes is configured  
password_changes_1(){
test_password_minium_change
}      
# 5.5.1.2 Ensure password expiration is 365 days or less    
password_expiration_365(){
test_password_expiration
}    
# 5.5.1.3 Ensure password expiration warning days is 7 or more 
password_expiration_warn(){
test_password_expiration_warn
}
# 5.5.1.4 Ensure inactive password lock is 30 days or less  
password_lock30(){
test_password_lock
}      
# 5.5.1.5 Ensure all users last password change date is in the past  
password_date(){
test_password_date
} 
# 5.5.2 Ensure system accounts are secured       
system_security_configured(){
local insecure_accounts=$(test_system_accounts_configured)
local insecure_passwords=$(test_password_status_configured)
if [ -z "$insecure_accounts" ] && [ -z "$insecure_passwords" ]; then
return
else
return 1
fi
} 
# 5.5.3 Ensure default group for the root account is GID 0     
root_gid0(){
test_root_group_id
}   
# 5.5.4 Ensure default user umask is 027 or more restrictive   
umask_configured(){
test_default_user_umask_configured
}    
# 5.5.5 Ensure default user shell timeout is 900 seconds or less    
shell_timeout(){
test_default_shell_timeout_configured
} 
# 5.6 Ensure root login is restricted to system console        
# 5.7 Ensure access to the su command is restricted    
su_restricted(){
test_access_to_su_command_restricted
}

# 6 System Maintenance    
# 6.1 System File Permissions    
# 6.1.1 Audit system file permissions 
system_file_permissions(){
test_system_file_perms
}       
# 6.1.2 Ensure permissions on /etc/passwd are configured         
etcpasswd_permissions(){
test_permissions_0644_root_root ${PASSWD}
}
# 6.1.3 Ensure permissions on /etc/passwd- are configured    
etcpasswd_bak_permissions(){
test_permissions_0644_root_root ${PASSWD}-
}    
# 6.1.4 Ensure permissions on /etc/group are configured     
group_permissions(){
test_permissions_0644_root_root ${GROUP}
}
# 6.1.5 Ensure permissions on /etc/group- are configured   
group_bak_permissions(){
test_permissions_0644_root_root ${GROUP}-
}    
# 6.1.6 Ensure permissions on /etc/shadow are configured 
shadow_permissions(){
test_permissions_0000_root_root ${SHADOW}
}     
# 6.1.7 Ensure permissions on /etc/shadow- are configured    
shadow_bak_permissions(){
test_permissions_0000_root_root ${SHADOW}-
}    
# 6.1.8 Ensure permissions on /etc/gshadow are configured   
gshadow_permissions(){
test_permissions_0000_root_root ${GSHADOW}
}     
# 6.1.9 Ensure permissions on /etc/gshadow- are configured  
group_permissions(){
test_permissions_0644_root_root ${GROUP}
}      
# 6.1.10 Ensure no world writable files exist  
wrld_writable_files(){
test_wrld_writable_files
}      
# 6.1.11 Ensure no unowned files or directories exist  
unowned_files(){
test_unowned_files
}       
#6.1.13 Audit SUID executables   
suid_executables(){
test_suid_executables
}
#6.1.14 Audit SGID executables   
sgid_executables(){
test_sgid_executables
}
#6.2 User and Group Settings      
#6.2.1 Ensure accounts in /etc/passwd use shadowed passwords   
passwd_use_shadowed(){
test_passwd_use_shadowed
}
#6.2.2 Ensure /etc/shadow password fields are not empty   
shadow_empty(){
test_shadow_empty
}       
# 6.2.3 Ensure all groups in /etc/passwd exist in /etc/group    
group_in_passwd(){
test_group_in_passwd
}     
# 6.2.4 Ensure all users' home directories exist    
users_home_exist(){
test_users_home
}    
# 6.2.5 Ensure users own their home directories 
users_home_own(){
test_users_home "own"
}       
# 6.2.6 Ensure users' home directories permissions are 750 or more restrictive 
users_home_permissions(){
test_users_home "permissions"
}    
# 6.2.7 Ensure users' dot files are not group or world writable   
users_home_dot(){
test_users_home "dot"
}     
# 6.2.8 Ensure no users have .netrc files    
users_home_netrc(){
test_users_home "netrc"
}    
# 6.2.9 Ensure no users have .forward files    
users_home_forward(){
test_users_home "forward"
}    
# 6.2.10 Ensure no users have .rhosts files  
users_home_rhosts(){
test_users_home "rhosts"
}      
# 6.2.11 Ensure root is the only UID 0 account     
uid_0(){
test_uid_0
}   
# 6.2.12 Ensure root PATH Integrity    
root_path_integrity(){
test_root_path_integrity
}     
# 6.2.13 Ensure no duplicate UIDs exist   
not_duplicate_uid(){
test_not_duplicate_uid 
}  
# 6.2.14 Ensure no duplicate GIDs exist  
not_duplicate_gid(){
test_no_duplicate_names "3" "$GROUP"
}
# 6.2.15 Ensure no duplicate user names exist   
uid_0(){
test_uid_0
}      
# 6.2.16 Ensure no duplicate group names exist      
not_duplicate_group(){
test_no_duplicate_names "1" "$GROUP"
}  
# 6.2.17 Ensure shadow group is empty  
group_empty(){
test_group_empty 
}
